Simply We Can Say That; The WPS pin is 8 digits long!
Most Of You Will Not Get My pointEasily, brother. In WPS enabled wifi network we don’t need to bruteforce the password rather we bruteforce the WPS pin. Well the problem is with this WPS pin. If you have the pin you are authenticated to connect to the network.
Now you would be thinking the cracking should be a bit hard. Well if u attack the PIN its like 1 try per second to 1 try per 10 seconds. 1 try per second i m considering for a good laptop. First of all you should be close enough to the WIFI to catch the data packets. Well regarding the practical part or in depth working of it you can raise another question on it , let me here remove your doubt.
So the WPS pin is 8 digits long. So total possible outcomes of this pin are 10^8 ( actually 9999999 to be precise). Anyways now you would be thinking it should be pretty hard because even if i cosider one attack per second it should take lot of time. But wait the problem is the pin is actually checked in two steps. I mean first half ( first 4 digits) and second half ( last 4 digits) are checked independently. The 8th digit is actually a checksum value of the first 7 digits. So if you find first 7 digits you can simple find the 8th digit.
Now the total possibilites for first four digits is 10^4 and for next 3 digits is 10^3 ( as 8th one will be calculated by 7 digits). So total possibilites of the PIN are 10^4 + 10^3 = 11000 possibilites. 1 hour has 3600 seconds so 1 try per second means 3600 tries per hour. Now you see the results. You can crack it in few hours using bruteforce.
In fact you can go for other methods like evil twin or others ( you won’t even need them there) . Some apps like wpa wps tester try some defaults PINs and they crack too fast i mean in minutes or sometimes seconds ( not all wifi obviously but still have high success rate). It shows the lacking of randomness of WPS pins that is being used.
In fact even if its not WPS enabled you can go for many attacks say evil twin or say gathering handshake info and trying to get access from it etc . Using default passwords and default admin names ( depending upon the router provider) and using default passwords for wifi access that are provided are a lot by attackers ( because people are lazy and hardly feel like changing anything).
If you want to know about other attacks do invite me to some other question In Comments. Hope the point for which you raised the question is clear to you.
IF its WPS locked router that is the access point locks after few attemps say after 3 attempts it locks your MAC address then you need to spoof your MAC after each 3 attempts say in reaver you can Reaver -i mon0 -c x -b xx:xx:xx:xx:xx:xx -vv –mac=vv:vv:vv:vv:vv:vv .
WPS push button : Some people are confused with the fact if hackers use WPS push botton feature to hack wifi. First of all WPS PIN is mandatory but not the push button in router. What actually happens is if i push my router WPS button that means anyone who will use WPS push button in his phone or laptop or other device will get connected to me in around 2 minutes ( of pushing the button on router). Otherwise the WPS PIN should already be there in your device. This is a feature and not hacking. The question was for WPS hacking using bruteforce. Remember in the 2 minutes of seting up of Router which is followed by push button anyone can join it ( just press push button in your phone) so better avoid it. In fact avoid WPS at all.